The user is using a deployment.config file with a link to a central
deployment.properties file, which specifies a shared cacerts file location.
The only disappointment with this method is the need to check for updates to
the cacerts file with each Java release and going through the process of
re-injecting the certs into the new cacerts file if it changed.
It would be nice to have a process where we a user can add the additional
certs to a centrally managed file that is automatically combined with the
cacerts file in the program files folder of the latest JRE. The only way to
accomplish this today would be to manage the user's trusted.cacerts file
instead of the system cacerts file. The downside to that is managing
trusted.cacerts takes away the ability to resolve one-off cert issues by
adding it at the user level on an individual machine. We could also create an
issue when the user cert file is first overwritten and had previously been
utilized to fix an undocumented trust issue.
This puts the user in a situation of which is the lesser evil. Managing via
the system level and knowing we need to stay on top of JRE releases that
contain an updated cacerts file or manage the user level and don't allow the
user or IT to fix one-off issues on an individual basis. It'd be nice to have
a solution where there are no cons to worry about.
If there was a way to have a separate file that is additive to the cacerts
file that comes with the Java installation that would eliminate this work.